Delete Old Data from Storage Groups

Events are stored in their assigned storage groups in the ArcSight Database. Over time, the storage system can retain unneeded or outdated data. To preserve space in the database and improve data retrieval from storage groups, you can configure the database to remove events older than a certain number of months. For example, the data retention policy for your organization might expect data older than 24 months to be purged. This process deletes data from the database.

The system automatically applies all deletion settings on the first day of the month at 2:10 a.m.

1. Create or modify a storage group.

2. For Delete Data Older Than, enter the age of data, in months, when you want old events to be deleted.

   By default, the maximum value for retaining events in the Default Storage Group is 12 months. However, the license for your deployed product might require a lower maximum value, such as one month. With a Log Management and Compliance ArcSight Recon license, you can choose Never Expire for a long-term storage option. To select that option, yrole must have the permission Never Expire Search Results.

   Ensure that your retention policy takes into consideration the maximum size of your storage groups and database. Also, consider that, in deleting events, the policy might affect results of an Event Integrity Check.

3. Click Save.
4. Apply your changes.